DNS custom resolver with adguard using https://www.opendns.com/ but reverting back to AdGuard DNS

Installing and Using OpenWrt
1

Hey everyone

I've recently swapped over to a OpenWrt router (GL.iNet GL-MT6000) connected via WAN1 port to a DHCP based ISP though a NBN box (external modem) in Australia

I've installed Adguard on the router and configured it to listen on multiple addresses as I have multiple lans

My intention is to have all DNS queries resolved through AdGuard which should use OpenDNS as the AdGuard DNS servers are returning incorrect results

I have multiple internal networks for different use cases

  • 192.168.2.0 (lan) internal lan wired and wifi full internet access and can access all other networks and other clients
  • 192.168.3.0 internal, wired no network access managed through 192.168.2.8 not the router
  • 192.168.4.0 (iot) isolated network, wifi can see internet but no other clients
  • 192.168.5.0 (ciot) internal network, wifi no internet access but can access other clients

Pretty basic network diagram the arrows aren't accurate

Network diagram
Network diagram723×774 74.2 KB

Unfortunately the Adguard DNS externally has an incorrect DNS entry for my domain and even though I've configured it to not use their DNS servers, it is still managing to return the incorrect resolution so my DNS config is incorrect

I was hoping someone could point out configuration issues please
I have no idea if I'm making the right entries for list dhcp_option, it didn't work without what I've added but I haven't found a clear description of what the 3, 6, and 15 mean, before the gateway address:

  • 3,192.168.2.1
  • 6,192.168.2.1
  • 15,lan
Just FYI the reason for realising my config was incorrect from a linux box if i run mtr mydomain.com
mydomain.com (192.168.2.48) -> mydomain.com (44-44-44-33)                                                                           
                                                                                                                                   
 Host                                                                            


 1. OpenWrt.lan 
 2. gateway.vic.au   
 3. 202.90.206.224   
 4. bundle-ether35.777.bdr02-ipt-4edenpar-syd.au.superloop.com     
 5. as60068.nsw.ix.asn.au      
 6. 44-44-44-33.adguard-dns.com

I've changed this IP to a random one, the one it is returning is incorrect and not what https://www.whatsmydns.net/ reports from any other tested DNS server

Adguard config

Adguard listens on these interfaces

  • 192.168.2.1
  • 192.168.4.1
  • 127.0.0.1

Upstream DNS servers
208.67.222.222
208.67.220.220
[/pool.ntp.org/]1.1.1.1
[/pool.ntp.org/]1.0.0.1
[/lan/]127.0.0.1:54
[//]127.0.0.1:54

Bootstrap DNS servers
9.9.9.10
149.112.112.10
2620:fe::10
2620:fe::fe:10

Private reverse DNS servers
192.168.2.1:54
192.168.4.1:54
192.168.5.1:54

On the router over ssh output of

ubus call system board;
uci export network;
uci export dhcp; uci export firewall;
netstat -lnp | grep 53; nslookup openwrt.org 127.0.0.1;
ls -l /etc/resolv.* /tmp/resolv.* /tmp/resolv./ ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv./

returns the following
I've removed some port forwardings and other things that aren't relevant

Summary

`{
"kernel": "6.6.86",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 4",
"model": "GL.iNet GL-MT6000",
"board_name": "glinet,gl-mt6000",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.1",
"revision": "r***-04**",
"target": "mediatek/filogic",
"description": "OpenWrt 24.10.1 r***-04**",
"builddate": "1744562312"
}
}
package network

config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fdc5:29dc:2df2::/48'
option packet_steering '1'

config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'

config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option ip6assign '60'
option defaultroute '0'

config interface 'wan'
option device 'eth1'
option proto 'dhcp'
option peerdns '0'
list dns '192.168.2.1'

config interface 'wan6'
option device 'eth1'
option proto 'dhcpv6'
option peerdns '0'
list dns '2001:4860:4860::8888'
list dns '2001:4860:4860::8844'

config route
option target '192.168.3.0/24'
option gateway '192.168.2.8'
option interface 'lan'

config device 'iot_dev'
option type 'bridge'
option name 'br-iot'

config interface 'iot'
option proto 'static'
option device 'br-iot'
option ipaddr '192.168.4.1'
option netmask '255.255.255.0'
option defaultroute '0'

config device 'ciot_dev'
option type 'bridge'
option name 'br-ciot'

config interface 'ciot'
option proto 'static'
option device 'br-ciot'
option ipaddr '192.168.5.1/24'

package dhcp

config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option ednspacket_max '1232'
option port '54'
option cachesize '0'
option noresolv '1'

config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
list dhcp_option '3,192.168.2.1'
list dhcp_option '6,192.168.2.1'
list dhcp_option '15,lan'
list dns 'fdc5:29dc:2df2::1'

config dhcp 'wan'
option interface 'wan'
option ignore '1'

config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'

config dhcp 'iot'
option interface 'iot'
option start '100'
option limit '150'
option leasetime '24h'
list dhcp_option '3,192.168.4.1'
list dhcp_option '6,192.168.4.1'
list dhcp_option '15,iot'

config dhcp 'ciot'
option interface 'ciot'
option start '100'
option limit '150'
option leasetime '12h'

package firewall

config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'

config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'

config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'

config forwarding
option src 'lan'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config redirect
option target 'DNAT'
option name 'DNS Intercept'
list proto 'udp'
option src 'lan'
option src_dport '53'
option dest_ip '192.168.2.1'
option dest_port '53'

config zone 'iot'
option name 'iot'
option network 'iot'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'

config forwarding 'iot_wan'
option src 'iot'
option dest 'wan'

config rule 'iot_dns'
option name 'Allow-DNS-IoT'
option src 'iot'
option dest_port '53'
option proto 'tcp udp'
option target 'ACCEPT'

config rule 'iot_dhcp'
option name 'Allow-DHCP-IoT'
option src 'iot'
option dest_port '67-68'
option proto 'udp'
option family 'ipv4'
option target 'ACCEPT'

config forwarding 'lan_iot'
option src 'lan'
option dest 'iot'

config zone 'ciot'
option name 'ciot'
option network 'ciot'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'

config rule 'ciot_dns'
option name 'ciot_dns'
option src 'ciot'
option dest_port '53'
option proto 'tcp udp'
option target 'ACCEPT'
option enabled '0'

config rule 'ciot_dhcp'
option name 'ciot_dhcp'
option src 'ciot'
option dest_port '67-68'
option target 'ACCEPT'
option proto 'tcp udp'

config forwarding 'ciot_forward'
option src 'ciot'
option dest 'lan'

config forwarding
option src 'lan'
option dest 'ciot'

tcp 0 0 192.168.4.1:53 0.0.0.0:* LISTEN 3490/AdGuardHome
tcp 0 0 192.168.2.1:53 0.0.0.0:* LISTEN 3490/AdGuardHome
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 3490/AdGuardHome
tcp 0 0 fe80::9083:c4ff:fea3:2532:54 :::* LISTEN 19998/dnsmasq
tcp 0 0 fe80::9483:c4ff:fea3:2532:54 :::* LISTEN 19998/dnsmasq
tcp 0 0 fe80::9683:c4ff:fea3:2531:54 :::* LISTEN 19998/dnsmasq
tcp 0 0 fe80::9683:c4ff:fea3:2531:54 :::* LISTEN 19998/dnsmasq
udp 0 0 127.0.0.1:53 0.0.0.0:* 3490/AdGuardHome
udp 0 0 192.168.4.1:53 0.0.0.0:* 3490/AdGuardHome
udp 0 0 192.168.2.1:53 0.0.0.0:* 3490/AdGuardHome
udp 0 0 fe80::9683:c4ff:fea3:2531:54 :::* 19998/dnsmasq
udp 0 0 fe80::9683:c4ff:fea3:2531:54 :::* 19998/dnsmasq
udp 0 0 fe80::9483:c4ff:fea3:2532:54 :::* 19998/dnsmasq
udp 0 0 fe80::9083:c4ff:fea3:2532:54 :::* 19998/dnsmasq
Server: 127.0.0.1
Address: 127.0.0.1:53

Non-authoritative answer:
Name: openwrt.org
Address: 64.226.122.113

Non-authoritative answer:
Name: openwrt.org
Address: 2a03:b0c0:3:d0::1a51:c001

lrwxrwxrwx 1 root root 16 Apr 13 16:38 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r-- 1 root root 47 May 4 01:23 /tmp/resolv.conf
-rw-r--r-- 1 root root 120 May 1 08:22 /tmp/resolv.conf.d/resolv.conf.auto

/tmp/resolv.conf.d:
-rw-r--r-- 1 root root 120 May 1 08:22 resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.d/resolv.conf.auto <==

Interface wan

nameserver 192.168.2.1

Interface wan6

nameserver 2001:4860:4860::8888
nameserver 2001:4860:4860::8844`

Im not sure if the IP6 config could be messing up any of the DNS things its the default config for that